destr

A faster, secure and convenient alternative for JSON.parse.

Usage

Node.js

Install dependency:

# npm
npm i destr

# yarn
yarn add destr

# pnpm
pnpm i destr

Import into your Node.js project:

// ESM
import { destr, safeDestr } from "destr";

// CommonJS
const { destr, safeDestr } = require("destr");

Deno

import { destr, safeDestr } from "https://deno.land/x/destr/src/index.ts";

console.log(destr('{ "deno": "yay" }'));

Why?

✅ Type Safe

const obj = JSON.parse("{}"); // obj type is any

const obj = destr("{}"); // obj type is unknown by default

const obj = destr<MyInterface>("{}"); // obj is well-typed

✅ Fast fallback to input if is not string

// Uncaught SyntaxError: Unexpected token u in JSON at position 0
JSON.parse();

// undefined
destr();

✅ Fast lookup for known string values

// Uncaught SyntaxError: Unexpected token T in JSON at position 0
JSON.parse("TRUE");

// true
destr("TRUE");

✅ Fallback to original value if parse fails (empty or any plain string)

// Uncaught SyntaxError: Unexpected token s in JSON at position 0
JSON.parse("salam");

// "salam"
destr("salam");

Note: This fails in safe/strict mode with safeDestr.

✅ Avoid prototype pollution

const input = '{ "user": { "__proto__": { "isAdmin": true } } }';

// { user: { __proto__: { isAdmin: true } } }
JSON.parse(input);

// { user: {} }
destr(input);

✅ Strict Mode

When using safeDestr it will throw an error if the input is not a valid JSON string or parsing fails. (non string values and built-ins will be still returned as-is)

// Returns "[foo"
destr("[foo");

// Throws an error
safeDestr("[foo");

Benchmarks

destr is faster generally for arbitrary inputs but also sometimes little bit slower than JSON.parse when parsing a valid JSON string mainly because of transform to avoid prototype pollution which can lead to serious security issues if not being sanitized. In the other words, destr is better when input is not always a JSON string or from untrusted source like request body.

Check Benchmark Results or run with pnpm run bench:node or pnpm run bench:bun yourself!

License

MIT. Made with 💖

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

v2.0.5

compare changes

📦 Build

• Downgrade unbuild to avoid cjs type regression (09889c2)

❤️ Contributors

• Pooya Parsa (@pi0)

v2.0.4

compare changes

🔥 Performance

• Faster plain string and known value checks (#136)

📦 Build

• Add sideEffects to package.json (#137)

🏡 Chore

• Update lock (6a75e33)
• Update deps (0f07d2d)
• Update ci (adb700a)
• Update eslint (7b506be)
• Update deps (f932569)

❤️ Contributors

• Pooya Parsa (@pi0)
• Balázs Németh (@zsilbi)
• Denisx (@denisx)

v2.0.3

compare changes

🩹 Fixes

• Improve compatibility with runtimes not supporting String.prototype.at() (#102)

🏡 Chore

• Update lockfile (930fe7b)
• Update bench (d0a83f9)
• Update readme (72a5c5c)
• Lint (ae61652)

✅ Tests

• Test with node 20 (a33a2e1)

❤️ Contributors

• Pooya Parsa (@pi0)
• Allenyu (@AllenYu0118)

v2.0.2

compare changes

🩹 Fixes

• Parsing decimals and scientific notation (#94)
• Avoid fast path with possible escape chars (#89)

📖 Documentation

• Fix typos (#82)
• Fix typo (#86)

🏡 Chore

• Update benchmarks (eb60af1)
• Update lockfile (4dbb707)
• Update benchmarks (4f92188)
• Add bun to the bench results (523f3f1)

❤️ Contributors

• Pooya Parsa (@pi0)
• Kricsleo
• Nobkd
• Alexander Lichter (@manniL)

v2.0.1

compare changes

🔥 Performance

• Avoid lowercasing long strings (#81)

📖 Documentation

• Correct safeDestr example usage and tests (#75)

🏡 Chore

• Update dependencies (46c3915)
• Add autofix ci (ad69b83)

🎨 Styles

• Format code (5e014f9)

❤️ Contributors

• Pooya Parsa (@pi0)
• Webstrand webstrand@gmail.com
• Frenco hey@frenco.dev

v2.0.0

compare changes

🚀 Enhancements

• ⚠️ Support generic type with unkown default (#68)
• Show warning when dropping unsafe keys (#57)
• Support minus infinity (#67)
• Support safeDestr (#70)
• Parse double-quoted string with fast path (#71)

🔥 Performance

• Move common check earlier (5be5732)

💅 Refactors

• ⚠️ Use named destr export (#69)

🏡 Chore

• readme: Badges update (6544804)
• Update dev dependencies (4aa3592)
• Lint with prettier (6aa42c6)
• Fix lint issue (cb4c0d6)
• Update coverage package (a73b0ff)
• Use changelogen for release (75989d3)
• Run ci with node 18 (80554b8)
• Update benchmark script (4138ebf)
• Add codecov.yml (fa4d366)
• Update readme (ecf2029)
• Update readme (60b3f81)

⚠️ Breaking Changes

• ⚠️ Support generic type with unkown default (#68)
• ⚠️ Use named destr export (#69)

❤️ Contributors

• Pooya Parsa (@pi0)
• Zuixinwang
• Nozomu Ikuta
• Sébastien Chopin seb@nuxtlabs.com

1.2.2 (2022-12-05)

Bug Fixes

• only purge constructor.prototype keys (#26) (87918d5)
• support surrounding whitespaces (resolves #21) (639a5df)

1.2.1 (2022-11-14)

1.2.0 (2022-10-19)

Features

• add option strict that throws an error if the input is not valid JSON (#11) (36c7121)

1.1.1 (2022-04-07)

1.1.0 (2021-01-21)

Features

• pkg: expose mjs format (104fe6c)

1.0.1 (2020-11-08)

Bug Fixes

• don't parse numbers if potential to exceed 15 digits (bc8c596)

1.0.0 (2020-06-16)

0.1.9 (2020-05-28)

Bug Fixes

• fix number regex (886c143)

0.1.8 (2020-05-28)

Bug Fixes

• types: remove strict types (1513a48)

0.1.7 (2020-05-27)

Bug Fixes

• don't throw error on parse fail (65e22c6)

0.1.6 (2020-05-27)

0.1.5 (2020-05-27)

Bug Fixes

• use JsonSigRx to also match numbers (3023552)

0.1.4 (2020-05-22)

0.1.3 (2020-05-20)

Bug Fixes

• remove unused code (10ef37d)

0.1.2 (2020-05-20)

0.1.1 (2020-05-20)